Fix WebPrincipal not serializable.

Because of a thread-local field in the securityContext field.

Author: OndroMih

appserver/security/webintegration/src/main/java/com/sun/web/security/RealmAdapter.java

@@ -440,14 +440,15 @@ public boolean invokeAuthenticateDelegate(HttpRequest request, HttpResponse resp
         LoginConfig config = context.getLoginConfig();
 
         if (isJakartaAuthenticationEnabled()) {
+            final SecurityContext securityContext = SecurityContext.getCurrent();
             // Jakarta Authentication is enabled for this application
             try {
                 context.fireContainerEvent(BEFORE_AUTHENTICATION, null);
                 RequestFacade requestFacade = (RequestFacade) request.getRequest();
-                SecurityContext.getCurrent().setSessionPrincipal(requestFacade.getRequestPrincipal());
+                securityContext.setSessionPrincipal(requestFacade.getRequestPrincipal());
                 return validate(request, response, config, authenticator, calledFromAuthenticate);
             } finally {
-                SecurityContext.getCurrent().setSessionPrincipal(null);
+                securityContext.setSessionPrincipal(null);
                 context.fireContainerEvent(AFTER_AUTHENTICATION, null);
             }
         }

nucleus/security/core/src/main/java/com/sun/enterprise/security/SecurityContext.java

@@ -72,11 +72,12 @@ public class SecurityContext extends AbstractSecurityContext {
 
     private static AuthPermission doAsPrivilegedPerm = new AuthPermission("doAsPrivileged");
 
+    // this is static because it's a thread local, which isn't serializable
+    private static ThreadLocal<Principal> sessionPrincipal = new ThreadLocal<>();
+
     // Did the client log in as or did the server generate the context
     private boolean serverGeneratedSecurityContext;
 
-    private final ThreadLocal<Principal> sessionPrincipal = new ThreadLocal<>();
-
     /*
      * This creates a new SecurityContext object. Note: that the docs for Subject state that the internal sets (eg. the
      * principal set) cannot be modified unless the caller has the modifyPrincipals AuthPermission. That said, there may be